On 5/8/2014 1:16 PM, Adam Thompson wrote: > Sorry for the late addition... Perhaps this was already covered, but if not: > > Please don't filter ICMPv6. This is one of the key points every > intro-to-v6 class teaches: IPv6 actually *needs* ICMPv6 to function in > pretty much every situation. > > The official guidance on this subject is RFC 4890, "Recommendations for > Firing ICMPv6 Messages in Firewalls". > The TL;DR version is " just don't ". > If a firewall operator can't read the RFC, and accurately distinguish > between transit and local traffic, then they shouldn't filter any of it. > > (Yes, I'm being a hard-ass here, because I already see people breaking > IPv6 because they think it's OK to filter ICMP.) > > It is probably possible to extrapolate a base set of recommendations > that pfSense might be able to build in, similar to how there's a lot of > automatic IPv4 filtering under the hood, but I don't believe this has > been done yet.
Code of interest here: https://github.com/pfsense/pfsense/blob/master/etc/inc/filter.inc#L2644 IMO, I agree that it's best to let ICMP flow free on IPv6. ICMP has had a bad reputation for a long time, and it's mostly undeserved in recent times. Jim _______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
